Numerous vendors have recently issued warnings about the dangerous
spread of image-based spam. These unsolicited commercial email
messages feature images that are intended to lure victims into
visiting a Web site, downloading spyware or adware, or worse.
Vendors have put forth some frightening figures. For
example:
- Messaging security firm CipherTrust Inc., which is
being acquired by Secure Computing Corp.,
reports image spam now accounts for about 15% of all spam
traffic. Many of those messages are reportedly not stopped by
text-based spam filters.
- Messaging management vendor Postini Inc. reports a higher
figure, that about 25% of spam messages this year have contained
images. In some months that figure has been as high as 30%. Postini
attributes the growth to attackers who are eager to exploit older
spam filters that are only able to analyze text.
- Email security vendor Commtouch Software Ltd. finds similar
proliferation numbers, and that on days when image spam is
spreading at its peak capacity, the global bandwidth and storage
consumed by spam grows by more than 70%. The Israel-based vendor's
research shows the average image spam message is 19 KB, more than
three times the size of a standard spam message.
While image spam has been around for some time, Richi Jennings,
an analyst with Ferris Research, said recently attackers have been
making use of it to more effectively bypass spam filters.
"Spammers are being cleverer in how they're sending and coding
the images," Jennings said. In the past, for instance, spammers
would add random dots to their messages or put a border of dots
around a message that contained random dots.
"We're now seeing things like taking a big image and splitting
it up into different sized tiles that fit together when you view
the message," he said. "The size and shape of the tiles varies from
message to message, so it can be difficult to spot."
Dmitri Allperovitch, a research engineer with CipherTrust, said
the "vast majority" of image spam is used in stock-scam messages,
in which senders encourage victims to buy a certain stock to raise
its value, then quickly turn around and sell the stock themselves
to make a profit.
"These are Pink Sheet stocks, traded on the OTC bulletin boards,
that typically don't get a lot of volume. They're niche companies
with no profit and no products, so when you see a spike from almost
no trades to two or three million when the spam is sent out, you
know there were a lot of people who fell for it."
He also noted that images are increasingly being used in
phishing attempts because pictures copying or closely mimicking the
logo of a reputable financial company can be more convincing than
text alone.
Though some dispute the level of danger presented by image-based
phishing as compared with text-based attempts, Scott Petry,
Postini's founder and CTO, said they present a sizable challenge
for antispam vendors and enterprises alike.
"The use of images in those phishing exploits is so correct and
accurate that the user doesn't realise when [is not from] an eBay
or Citibank or whatever," Petry said. "We've found the images that
are in place with a phishing exploit are near impossible to
differentiate from versus a legitimate sender. You have to look in
different places in the message structurally to identify them."
Petry said the threat posed by image spam is not only on par with
other types of text-based spam, but also can be an additional drain
on an enterprise's bandwidth and storage resources, since images
take up more space in an organisation's Internet pipeline and on
its mail servers.
"I think image spam is going to exacerbate the administration
requirements around spam," Petry said. By its nature, image spam is
going to be bigger and take longer to process, so I do feel there
is further pressure on IT and the messaging infrastructure to deal
with increase of data."
Petry recommended that companies pay careful attention to the
volume of incoming messages with image attachments, and if a
significant portion of those messages aren't being blocked, it may
be wise to restrict the delivery of certain image-based
messages.
"You don't want those messages to undermine the availability of
data in your enterprise," he said. "It might mean some grumpy
users, but at least the mail server will remain up and
running."
Still, Jennings said organisations using comprehensive antispam
products -- those that focus on both the content and origin of
messages -- have little to worry about, other than to make sure
they're on the latest version of their vendor's products and
receiving regular updates.
"However, if they're still finding a lot of image-based spam
[getting through], they should be thinking about migrating to
something that is working, because there are plenty of solutions
out there that are doing a good job with it."